dcrat | 29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356

Analysis

max time kernel
148s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356.exe
Size

1.3MB
MD5

d445bc2cccf91983c11279df901c65b4
SHA1

1e4ba322e6d4590b7c54a98ccad13f35584eb7f8
SHA256

29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356
SHA512

adaccb65405ed3792065377b5d941010e9d108682be4fe205794ee81c7ed5bffae3d7d6db3d8d58f1367782b8fa768f4b7e28959e98ffeafe0ee7c014c61b656
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	2912	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	2912	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac54-280.dat	dcrat
behavioral1/files/0x000900000001ac54-281.dat	dcrat
behavioral1/memory/2300-282-0x0000000000490000-0x00000000005A0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac5f-303.dat	dcrat
behavioral1/files/0x000600000001ac5f-304.dat	dcrat
behavioral1/files/0x000600000001ac5f-542.dat	dcrat
behavioral1/files/0x000600000001ac5f-549.dat	dcrat
behavioral1/files/0x000600000001ac5f-554.dat	dcrat
behavioral1/files/0x000600000001ac5f-559.dat	dcrat
behavioral1/files/0x000600000001ac5f-564.dat	dcrat
behavioral1/files/0x000600000001ac5f-570.dat	dcrat
behavioral1/files/0x000600000001ac5f-576.dat	dcrat
behavioral1/files/0x000600000001ac5f-581.dat	dcrat
behavioral1/files/0x000600000001ac5f-586.dat	dcrat
behavioral1/files/0x000600000001ac5f-591.dat	dcrat
behavioral1/files/0x000600000001ac5f-596.dat	dcrat
behavioral1/files/0x000600000001ac5f-601.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
2300	DllCommonsvc.exe
756	RuntimeBroker.exe
4768	RuntimeBroker.exe
1988	RuntimeBroker.exe
2680	RuntimeBroker.exe
4608	RuntimeBroker.exe
4568	RuntimeBroker.exe
3576	RuntimeBroker.exe
4524	RuntimeBroker.exe
812	RuntimeBroker.exe
2508	RuntimeBroker.exe
748	RuntimeBroker.exe
4876	RuntimeBroker.exe
3768	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Tasks\SearchUI.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\dab4d89cac03ec	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4332	schtasks.exe
4672	schtasks.exe
2772	schtasks.exe
3108	schtasks.exe
3728	schtasks.exe
4956	schtasks.exe
4324	schtasks.exe
4348	schtasks.exe
3844	schtasks.exe
4312	schtasks.exe
5012	schtasks.exe
5004	schtasks.exe
4972	schtasks.exe
1480	schtasks.exe
3180	schtasks.exe
4616	schtasks.exe
5112	schtasks.exe
3240	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
4580	powershell.exe
4520	powershell.exe
4596	powershell.exe
4548	powershell.exe
4572	powershell.exe
4724	powershell.exe
496	powershell.exe
4548	powershell.exe
756	RuntimeBroker.exe
4572	powershell.exe
496	powershell.exe
4724	powershell.exe
4580	powershell.exe
4520	powershell.exe
4596	powershell.exe
4548	powershell.exe
4572	powershell.exe
496	powershell.exe
4724	powershell.exe
4580	powershell.exe
4520	powershell.exe
4596	powershell.exe
4768	RuntimeBroker.exe
1988	RuntimeBroker.exe
2680	RuntimeBroker.exe
4608	RuntimeBroker.exe
4568	RuntimeBroker.exe
3576	RuntimeBroker.exe
4524	RuntimeBroker.exe
812	RuntimeBroker.exe
2508	RuntimeBroker.exe
748	RuntimeBroker.exe
4876	RuntimeBroker.exe
3768	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	DllCommonsvc.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	756	RuntimeBroker.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeIncreaseQuotaPrivilege	4548	powershell.exe
Token: SeSecurityPrivilege	4548	powershell.exe
Token: SeTakeOwnershipPrivilege	4548	powershell.exe
Token: SeLoadDriverPrivilege	4548	powershell.exe
Token: SeSystemProfilePrivilege	4548	powershell.exe
Token: SeSystemtimePrivilege	4548	powershell.exe
Token: SeProfSingleProcessPrivilege	4548	powershell.exe
Token: SeIncBasePriorityPrivilege	4548	powershell.exe
Token: SeCreatePagefilePrivilege	4548	powershell.exe
Token: SeBackupPrivilege	4548	powershell.exe
Token: SeRestorePrivilege	4548	powershell.exe
Token: SeShutdownPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeSystemEnvironmentPrivilege	4548	powershell.exe
Token: SeRemoteShutdownPrivilege	4548	powershell.exe
Token: SeUndockPrivilege	4548	powershell.exe
Token: SeManageVolumePrivilege	4548	powershell.exe
Token: 33	4548	powershell.exe
Token: 34	4548	powershell.exe
Token: 35	4548	powershell.exe
Token: 36	4548	powershell.exe
Token: SeIncreaseQuotaPrivilege	4572	powershell.exe
Token: SeSecurityPrivilege	4572	powershell.exe
Token: SeTakeOwnershipPrivilege	4572	powershell.exe
Token: SeLoadDriverPrivilege	4572	powershell.exe
Token: SeSystemProfilePrivilege	4572	powershell.exe
Token: SeSystemtimePrivilege	4572	powershell.exe
Token: SeProfSingleProcessPrivilege	4572	powershell.exe
Token: SeIncBasePriorityPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeBackupPrivilege	4572	powershell.exe
Token: SeRestorePrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeSystemEnvironmentPrivilege	4572	powershell.exe
Token: SeRemoteShutdownPrivilege	4572	powershell.exe
Token: SeUndockPrivilege	4572	powershell.exe
Token: SeManageVolumePrivilege	4572	powershell.exe
Token: 33	4572	powershell.exe
Token: 34	4572	powershell.exe
Token: 35	4572	powershell.exe
Token: 36	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	496	powershell.exe
Token: SeSecurityPrivilege	496	powershell.exe
Token: SeTakeOwnershipPrivilege	496	powershell.exe
Token: SeLoadDriverPrivilege	496	powershell.exe
Token: SeSystemProfilePrivilege	496	powershell.exe
Token: SeSystemtimePrivilege	496	powershell.exe
Token: SeProfSingleProcessPrivilege	496	powershell.exe
Token: SeIncBasePriorityPrivilege	496	powershell.exe
Token: SeCreatePagefilePrivilege	496	powershell.exe
Token: SeBackupPrivilege	496	powershell.exe
Token: SeRestorePrivilege	496	powershell.exe
Token: SeShutdownPrivilege	496	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4864	2672	29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356.exe	66
PID 2672 wrote to memory of 4864	2672	29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356.exe	66
PID 2672 wrote to memory of 4864	2672	29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356.exe	66
PID 4864 wrote to memory of 4528	4864	WScript.exe	67
PID 4864 wrote to memory of 4528	4864	WScript.exe	67
PID 4864 wrote to memory of 4528	4864	WScript.exe	67
PID 4528 wrote to memory of 2300	4528	cmd.exe	69
PID 4528 wrote to memory of 2300	4528	cmd.exe	69
PID 2300 wrote to memory of 4596	2300	DllCommonsvc.exe	89
PID 2300 wrote to memory of 4596	2300	DllCommonsvc.exe	89
PID 2300 wrote to memory of 4580	2300	DllCommonsvc.exe	92
PID 2300 wrote to memory of 4580	2300	DllCommonsvc.exe	92
PID 2300 wrote to memory of 4520	2300	DllCommonsvc.exe	91
PID 2300 wrote to memory of 4520	2300	DllCommonsvc.exe	91
PID 2300 wrote to memory of 4548	2300	DllCommonsvc.exe	93
PID 2300 wrote to memory of 4548	2300	DllCommonsvc.exe	93
PID 2300 wrote to memory of 4572	2300	DllCommonsvc.exe	94
PID 2300 wrote to memory of 4572	2300	DllCommonsvc.exe	94
PID 2300 wrote to memory of 496	2300	DllCommonsvc.exe	97
PID 2300 wrote to memory of 496	2300	DllCommonsvc.exe	97
PID 2300 wrote to memory of 4724	2300	DllCommonsvc.exe	99
PID 2300 wrote to memory of 4724	2300	DllCommonsvc.exe	99
PID 2300 wrote to memory of 756	2300	DllCommonsvc.exe	103
PID 2300 wrote to memory of 756	2300	DllCommonsvc.exe	103
PID 756 wrote to memory of 2828	756	RuntimeBroker.exe	105
PID 756 wrote to memory of 2828	756	RuntimeBroker.exe	105
PID 2828 wrote to memory of 4048	2828	cmd.exe	107
PID 2828 wrote to memory of 4048	2828	cmd.exe	107
PID 2828 wrote to memory of 4768	2828	cmd.exe	108
PID 2828 wrote to memory of 4768	2828	cmd.exe	108
PID 4768 wrote to memory of 4484	4768	RuntimeBroker.exe	109
PID 4768 wrote to memory of 4484	4768	RuntimeBroker.exe	109
PID 4484 wrote to memory of 3768	4484	cmd.exe	111
PID 4484 wrote to memory of 3768	4484	cmd.exe	111
PID 4484 wrote to memory of 1988	4484	cmd.exe	112
PID 4484 wrote to memory of 1988	4484	cmd.exe	112
PID 1988 wrote to memory of 4936	1988	RuntimeBroker.exe	113
PID 1988 wrote to memory of 4936	1988	RuntimeBroker.exe	113
PID 4936 wrote to memory of 1956	4936	cmd.exe	115
PID 4936 wrote to memory of 1956	4936	cmd.exe	115
PID 4936 wrote to memory of 2680	4936	cmd.exe	116
PID 4936 wrote to memory of 2680	4936	cmd.exe	116
PID 2680 wrote to memory of 1896	2680	RuntimeBroker.exe	117
PID 2680 wrote to memory of 1896	2680	RuntimeBroker.exe	117
PID 1896 wrote to memory of 5028	1896	cmd.exe	119
PID 1896 wrote to memory of 5028	1896	cmd.exe	119
PID 1896 wrote to memory of 4608	1896	cmd.exe	120
PID 1896 wrote to memory of 4608	1896	cmd.exe	120
PID 4608 wrote to memory of 4376	4608	RuntimeBroker.exe	122
PID 4608 wrote to memory of 4376	4608	RuntimeBroker.exe	122
PID 4376 wrote to memory of 4680	4376	cmd.exe	123
PID 4376 wrote to memory of 4680	4376	cmd.exe	123
PID 4376 wrote to memory of 4568	4376	cmd.exe	124
PID 4376 wrote to memory of 4568	4376	cmd.exe	124
PID 4568 wrote to memory of 2380	4568	RuntimeBroker.exe	125
PID 4568 wrote to memory of 2380	4568	RuntimeBroker.exe	125
PID 2380 wrote to memory of 2216	2380	cmd.exe	127
PID 2380 wrote to memory of 2216	2380	cmd.exe	127
PID 2380 wrote to memory of 3576	2380	cmd.exe	128
PID 2380 wrote to memory of 3576	2380	cmd.exe	128
PID 3576 wrote to memory of 3132	3576	RuntimeBroker.exe	129
PID 3576 wrote to memory of 3132	3576	RuntimeBroker.exe	129
PID 3132 wrote to memory of 4720	3132	cmd.exe	131
PID 3132 wrote to memory of 4720	3132	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356.exe
"C:\Users\Admin\AppData\Local\Temp\29102d4e52cba68e42c005c73789ed645dcfbef56eaffe1e65eb709bcd230356.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
    - - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4048
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3768
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1956
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5028
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4680
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2216
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4720
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        20⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4556
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        22⤵
        
        PID:4560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4052
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        24⤵
        
        PID:4908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1088
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        26⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4844
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"
        28⤵
        
        PID:3704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3440
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\providercommon\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\Tasks\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ModemLogs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22ac18221c471819cd862d5b69a11f16

SHA1
9fe1b079cdb2fb2a4f33a3c749b42cf57ada2ade

SHA256
37fc80593510a1cf04c4571893d65c58946ba1edc7f80d1fc493fb4335758ea5

SHA512
24226832eadceac322645517dbc029c5bcf29be88eb8f496700c2f2672dddad6bce88d31b582dda9050e11c74c2f729f7a672dd9cb1ef2f706f5d4b03ecb8c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22ac18221c471819cd862d5b69a11f16

SHA1
9fe1b079cdb2fb2a4f33a3c749b42cf57ada2ade

SHA256
37fc80593510a1cf04c4571893d65c58946ba1edc7f80d1fc493fb4335758ea5

SHA512
24226832eadceac322645517dbc029c5bcf29be88eb8f496700c2f2672dddad6bce88d31b582dda9050e11c74c2f729f7a672dd9cb1ef2f706f5d4b03ecb8c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63bdbc2dae047df3bb6010b135f59e7f

SHA1
9d7c7574052c446c03b44f166d78915c900cc3c2

SHA256
47eed3f63d3d4d3730b4f5bcc5753d12916a0f2895da39d60b3993cd3faddee5

SHA512
9a9ae5572e6cf937a522ad74247ac2927e98a350c5e3c4bd124477fd999213f3f125f6fc3d8a903de51369d446c410425d575484f74b2309fc164a68edcba15e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63bdbc2dae047df3bb6010b135f59e7f

SHA1
9d7c7574052c446c03b44f166d78915c900cc3c2

SHA256
47eed3f63d3d4d3730b4f5bcc5753d12916a0f2895da39d60b3993cd3faddee5

SHA512
9a9ae5572e6cf937a522ad74247ac2927e98a350c5e3c4bd124477fd999213f3f125f6fc3d8a903de51369d446c410425d575484f74b2309fc164a68edcba15e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c33b386e6a4b8b49fa034e9b5a23c15e

SHA1
79e30bda0d292c49e8eb5b74cab1eb51a8eb305a

SHA256
ecc8ba8bd2893f6097bcf124da728fca74f1b2d8afbcf4c824ecd11ca4aa6032

SHA512
267cb0163a5efd0c7821cdd6a557d64cf297f14b64d3c9dbaba919074e167d1ef77b3355aca9b0008e7829685df6e688e96eeeb351eec7e7cf7722e1b51dcbfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c33b386e6a4b8b49fa034e9b5a23c15e

SHA1
79e30bda0d292c49e8eb5b74cab1eb51a8eb305a

SHA256
ecc8ba8bd2893f6097bcf124da728fca74f1b2d8afbcf4c824ecd11ca4aa6032

SHA512
267cb0163a5efd0c7821cdd6a557d64cf297f14b64d3c9dbaba919074e167d1ef77b3355aca9b0008e7829685df6e688e96eeeb351eec7e7cf7722e1b51dcbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
204B

MD5
616a611578c3f64ff0500f6d4ec2e7cd

SHA1
6b14860f818a071afea6f3c167b321c5a28fb904

SHA256
ece4136e7341dbdab8abb24f66113c3841775b63f8a9b162671b81969939f167

SHA512
593e606cd3803f32a4a4c5d852f766fe4b3ac6d27c95681d1eb8fd3020ea49b169a5678ba285a49914e67a8fd6ae0d2d79dc2d0c13df91c4e57efc50260aa474

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
204B

MD5
231cdf8edf57a62f25b1e631742d049b

SHA1
5dc4df24d02bd41d50163ff3d6cb930c28f73902

SHA256
5d788d2289e4ea9cbda95c328bfad78b80c4fc607fcd0893a962d1019b559c64

SHA512
79135259c38347ef933ac38f58c1c6e2281c94de370147e58e1d714b27fcfc90baa0bef4616108a22895346122b7b2ff13e79353850ce7b3d14cb98c78d5a949

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
204B

MD5
815c54c3fcd5a95d2fc58f56c4e4a469

SHA1
32d579c5ae58129ea6e417551b49e9e8805aa446

SHA256
cdc352ba156e1d922564f44a657c4b88bfdc20e640b35568e8c85935dea49671

SHA512
de9a738dc594e277833806a76cddf76ffb008cf9fd6191438978ef45e42dca6f5fe3ba1ad7e314963917b9dc14434d6c4e054d9cb000157a30724dcb05cda366

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
204B

MD5
5a4fc068fd188994c3fb2b06a67ddd5b

SHA1
6e59d7fc752976c974c94ac7810b33b902cb1789

SHA256
fa051b68db5e0ae0901210e70293657e909fe46da5976fa5075b9185d09ba209

SHA512
e72b37d0d1fd567d0661a7e9908e615c8d806b43b016a6d268e1f6d5fd81ec039f3318071f483a01b49a7f8e2b5456d6c11a36e2f135c292c148dba64282479f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
204B

MD5
192daed618417a9df3769991201ab09e

SHA1
1e6cbf8b58b26079c0a1c3451f4ed2d4449c904d

SHA256
5560fb76ff66df4767367e44982094053ff63e5e9374aca504ae5dd52954d90c

SHA512
e07582af1d94528f79a2de9b1201ebff37ab7ad13d83cb3c4c8b5555798cbd734dbfd6e20093302b3c3b0d9b35898c7ed20307749bb85152d4333d1c6a33127d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
204B

MD5
192daed618417a9df3769991201ab09e

SHA1
1e6cbf8b58b26079c0a1c3451f4ed2d4449c904d

SHA256
5560fb76ff66df4767367e44982094053ff63e5e9374aca504ae5dd52954d90c

SHA512
e07582af1d94528f79a2de9b1201ebff37ab7ad13d83cb3c4c8b5555798cbd734dbfd6e20093302b3c3b0d9b35898c7ed20307749bb85152d4333d1c6a33127d

Download Submit
C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat

Filesize
204B

MD5
9ff0ea33bf9d617ff27e8daa9a0233b0

SHA1
097d8b1c03e0f90e5447a3c50537b65742cfe83e

SHA256
37c4fde89cd12b68362be365ccfe15d39927f127dd4dfdb53ebaaa98b5bd3be2

SHA512
0ad0d22624369c07a8017865a1e1eac03f12edec751c4399186750f00d27952a9e1fefb1d4e46564da21a1967370937a94e4ef6a1dd8fd4d183175471c9edb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
204B

MD5
a9fe87c213dda60ec23fbda274c61b26

SHA1
f12113c6923350af30631f628db7482613a6f85e

SHA256
7b0ad6d13fe72d335ea3ad4244c2ef46b737c3a8967f29da09b72df9101e6663

SHA512
e779121a6f940033ef39bcf19bafae3bb64434bebbffc2c8fe73991eb36c0cc2063442fe72291592120165805b2dd6115018bc3ddcc8193085a92d9093e2f183

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

Filesize
204B

MD5
312bd9cdabae4751a13226f88b2afafa

SHA1
0f73cf3a983b2d4b8457edd939756f9c5c703007

SHA256
aaad849676a8c502fa90f781bb7f19a3add687b1cfc2b520abaedf2eb03399cf

SHA512
f923818bc275606bfe011e424c3882547f082aa5f3a50f9373e037a9da65a1058037d21359ae1e6fc5131ff582d602cc8be32e49bfb6a89c563053cbdc000f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat

Filesize
204B

MD5
bbe9f7199c9a36e914bfd701ca5c4526

SHA1
7d62198077cb7b997d4e79a7eecd485baa642e7d

SHA256
8d1ec964d62032cabfc48c15ec1ec5dcaf4799841d296b2f96ee280dec1e6ebd

SHA512
334eff44953be834d8e9c5c71d80f03de1fdbf9ee49a886333ed64bf69e2ddda8d55c9677dbcbc6ef68f53594d13ab1711446ab71ecf5f76e713a2b39c4de3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
204B

MD5
f7063e481cc9fece4b6bf7f6642a05cb

SHA1
7046666189a6eb84a55300ddd1a83d1860d75f2a

SHA256
483e05ce2cc8534d48f0b33bb8393c47e3e11705e9da7104608359609af4b33b

SHA512
5e25cc402d16ea6b21f2d0d67c9604d5d46f46f31554d5c33e980a710896a731c3105da0d54e46767526ab3584923594bd21dfe3866677c1f390163f425de800

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

Filesize
204B

MD5
828100b65eeb5969b5c4002fcf831084

SHA1
8b1d6734a27e07a47b7edb4812355dd7971913b9

SHA256
2473f65e777046edaa79043fa69341ca94340940201fbf8e3e1e9e4faae6c8b9

SHA512
a50725d35fe2e8f6c5bbbd96984dc609c8d6e040257ea3b299ee1edfc9fbc813b725182fd66117c7333e489e79e1b1d6cdcfefc55bf08e1fc8719d4ff2900726

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/756-325-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download
memory/2300-282-0x0000000000490000-0x00000000005A0000-memory.dmp

Filesize
1.1MB

Download
memory/2300-286-0x0000000002710000-0x000000000271C000-memory.dmp

Filesize
48KB

Download
memory/2300-285-0x0000000002700000-0x000000000270C000-memory.dmp

Filesize
48KB

Download
memory/2300-284-0x0000000002720000-0x000000000272C000-memory.dmp

Filesize
48KB

Download
memory/2300-283-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/2672-147-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-130-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-178-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-179-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-166-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-176-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-117-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-165-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-164-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-118-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-175-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-119-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-163-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-162-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-174-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-173-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-172-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-171-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-161-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-121-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-122-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-124-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-160-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-159-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-158-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-157-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-156-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-155-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-154-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-125-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-168-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-153-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-152-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-151-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-150-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-149-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-148-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-167-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-145-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-146-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-177-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-144-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-126-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-143-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-142-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-169-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-141-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-170-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-140-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-139-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-138-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-137-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-136-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-135-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-129-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-134-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-133-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-132-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-131-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-127-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-116-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-128-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/3576-571-0x00000000014F0000-0x0000000001502000-memory.dmp

Filesize
72KB

Download
memory/4520-326-0x00000227C1D10000-0x00000227C1D32000-memory.dmp

Filesize
136KB

Download
memory/4548-335-0x00000223E3950000-0x00000223E39C6000-memory.dmp

Filesize
472KB

Download
memory/4568-565-0x00000000011B0000-0x00000000011C2000-memory.dmp

Filesize
72KB

Download
memory/4768-544-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/4864-182-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4864-181-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download